If you have been using Ansible for a while you will have wondered if there is a way to encrypt password information?
There is it’s called Ansible Vault.
In this Ansible Vault tutorial I will show you how to keep all your password and sensitive data in encrypted files within Ansible.
For information this tutorial is being performed within Ubuntu 18.04 Desktop.
What is Ansible Vault?
Page Contents
Ansible Vault is a brilliant feature within Ansible that enables to you keep all your passwords and sensitive data in encrypted files as opposed to having it in plain text within playbooks or in vars. You either point Ansible Vault to the location of a password file or you can get Ansible to prompt for the password each time you run a playbook.
If you are looking for more information on Ansible Network Automation I have a course which will take you from zero to hero with Ansible.
Ansible Vault Best Practices
There are a few steps to setting up an Ansible vault.
- Create vault file using ansible-vault encrypt
- Specify vault password
- View encrypted file using ansible-vault view
Lets’s step through these steps in more detail.
Note: you do not need to install ansible-vault - it is part of the core code within Ansible
ansible-vault create
First we are going to need a file that we are going to encrypt. This can either be a new file created in the vault process or we can encrypt a file that already exists. Let’s look at a new file first.
Enter the command ansible-vault create <filename>.yml
In this example I created a file called test-vault.yml
I entered some data in the file and saved it.
Now if we look at the file
cat test.yml
You can see that the contents are encrypted
If we want to view that file we just enter the command:
ansible-vault view test-vault.yml
You will be prompted for a password and then you can see the contents of the file.
What if you wanted to encrypt a file that already exists? Simple.
ansible-vault encrypt
So you already have all your passwords and sensitive information in a file - in my case it is in ./group_vars/all.yml
This is the file
ansible_user: "roger"
ansible_ssh_pass"cisco"
ansible_network_os: "ios"
I am going to encrypt it and then run a playbook that needs that password information and see what happens.
First we will encrypt the file with the ansible-vault encrypt ./group_vars/all.yml command
ansible-vault encrypt ./group_vars/all.yml
You are prompted for a password and the file is encrypted.
To verify if we view the file we just see the encrypted data
Using Ansible Vault in Playbook Example
Now I have a playbook called backup.yml which will need to access the data in /group_vars/all.yml
So let’s see what happens when we run the playbook?
We get an error: Attempting to decrypt but no vault secrets found
The reason for this is the all.yml file is now encrypted and you need a password to access the data, however we did not tell Ansible how to get the password.
You can do this in a few ways
- Prompt for the password during the playbook run
- Specify the location to a password file during the playbook run
- Specify the location to the password in ansible.cfg
Let’s look at all 3 options
Prompt for the password during the playbook run
Just add this to the end of your playbook run command e.g
ansible-playbook backup.yml --ask-vault-pass
To the end of the playbook command and you will be prompted to enter a password on playbook run.
Using Ansible Vault with a Password File
You can also have another file which contains your password. This file does need to be secured either by on machine permissions and also kept out of your Git repository.
You then specify where this file is with this command
ansible-playbook backup.yml --vault-password-file vault-pass.txt
The contents of vault-pass.txt just needs to contain your password.
Specify the location of a password file in ansible.cfg
You can also specify the location of this file in the ansible.cfg file
vault_password_file = vault-pass.txt
Decrypting Encrypted Files
If you no longer want your file to be encrypted you can easily decrypt it using the folling code
ansible-vault decrypt <filename>
You will be prompted for the password you originally used to encrypt the file and it will then be unencrypted.
Changing the Password of Encrypted Files
If you want to change the password of your encrypted file you can use the command
ansible-vault rekey <filename>
You will be prompted for your original password and then your new password.
Note: you can also perform the encrypt, decrypt or rekey operation on multiple files at the same time.
Ansible is just one tool in the world of Network Automation, so I hope this tutorial has been helpful and please check out some other relevant posts below.
Other Ansible related posts:
- What is Ansible and how it works?
- Ansible Hosts File
- Ansible Network Automation Course
- Ansible for Network Engineers
Ansible Documentation - https://docs.ansible.com/ansible/latest/user_guide/vault.html
Frequently Asked Questions
How do you secure secrets in Ansible?
Ansible Vault allows you to secure your secrets i.e passwords, API keys and sensitive information by encrypting them. Then to access the secrets you either have to provide the encryption password when running the playbook or store it in a secure place that the playbook can reference.
What is Ansible Vault?
Ansible Vault is a feature within Ansible that allows you to encrypt passwords and sensitive data rather than storing it all in plain text within a playbook or vars files. The encrypted data can be retrieved by supplying the password during a playbook run
Where is the Ansible Vault file?
Your vault file can be anywhere you want it to be, you simply encrypt the file you want to secure by using the command ansible-vault encrypt and then supply a password.
How to Learn Network Automation
»
Hi Roger,
Thanks for posting important vedio .
I have a confusion if I want to use password as a variable and keep it in encrypted fro and declear in a task can I do that . Need your guidance for that and if yo
I don’t exactly understand your question.
Are you saying you want to use a password directly in your playbook?
The idea with Vault is all your passwords are kept in group_vars or host_vars and then you encrypt the entire file.
If you want to put the password in your playbook there is no way to hide / encrypt that?
Let me know?